42

I have just received a message asking to consent to PayPal policy updates from the domain:

https://epl.paypal-communication.com

The actual link is full of trackers. Given the domain name, it sounds like a routinely email spoof. Also, visiting the domain, you are welcomed by a "503 Service Unavailable" message.

After some investigations, including whois, the weird domain seems really linked to PayPal.com. That being the case:

  • Why should a company (and in particular a company dealing with payments) send messages from another domain?

  • Why add countless trackers if you can already recognise users from logon?

Should the practice of sending messages from somecompany.com using anothercompany.com become established, it will be virtually impossible to us users telling if a website is legit or a scam.

Anders
  • 64,406
  • 24
  • 178
  • 215
antonio
  • 845
  • 2
  • 8
  • 15

2 Answers2

26

Should the practice of sending messages from somecompany.com using anothercompany.com become established, it will be virtually impossible to us users telling if a website is legit or a scam.

Unfortunately, this practice is already established - and yes, it makes it very hard to tell legitimate communications from spam. Companies use partners and third parties to handle their email all the time.

Why should a company (and in particular a company dealing with payments) send messages from another domain?

Because companies outsource non-core functions like marketing to third parties for economic reasons.

Why add countless trackers if you can already recognise users from logon?

Trackers can provide a lot more psychographic information than logon can, and that information is valuable to marketing departments.

Mark Beadles
  • 3,932
  • 2
  • 20
  • 23
  • You are right. This is already a on-going thing, which includes even credit card companies. The sad thing is, you get call from collection agents, which are marked as "SPAM" by caller "ID". – madhairsilence Jul 08 '19 at 10:36
  • 1
    AFAIK, It is much easier to purge outsourced domains tracker data if shit hits the fans, rather than nuking all origin domain log data. – mootmoot Jul 08 '19 at 13:49
  • 1
    They are not the only one to do this, even [StackOverflow uses other domains](https://meta.stackexchange.com/questions/327397/links-in-e-mails-look-like-phishing) in its official e-mails. They even use a rather suspicious ``.email`` domain. – allo Aug 07 '19 at 09:28
  • PayPals own guidelines on how to spot a fake email https://www.paypal.com/gf/smarthelp/article/how-to-spot-fake,-spoof,-or-phishing-emails-faq2340 says: "Ask you to click on links that take you to a fake website. If there's a link in an email, always check it before you click. A link could look perfectly safe like www.paypal.com/SpecialOffers. Make sure to move your mouse over the link to see the true destination. If you aren’t certain, don’t click on the link. Just visiting a bad website could infect your machine." – Henrik Høyer Feb 12 '20 at 16:35
  • 1
    The biggest offender in my opinion of this crime is Burger King. The official website they print on receipts in Germany is - I kid you not - bk-feedback-de.com. I assume feedback.burgerking.com/de was taken. –  Feb 13 '20 at 10:04
  • I hate PayPal, their whole security infrastructure is a huge pile of shit and every time I stumble into something new about them (like in this case), things always get worse. – Avio Mar 03 '20 at 21:37
  • Tracking example: login can't tell you who read the email without clicking the link. – user253751 Jul 21 '20 at 21:34
  • How hard should it be for a company (e.g. company.example.com) to set up a hostname within their domain which would accept a URL of the form `https://forwarder.company.example.com.com/abcd12345/whatever`, look up `abcd12345` in a table and, if it's associated with `https://company-magic.example.com/fwd`, issue a forward to `https://company-magic.example.com/fwd/whatever`? Someone at corporate would need to have a list of domains that are controlled by authorized entities, but could leave the actual management of those domains to the outside entities in question. – supercat Mar 15 '21 at 18:04
3

I am going to add my two cents to this.

Those of you who have received said email that has a hyperlink "epl.paypal-communication.com/xxxxxx" have any of you ever clicked on the link and allowed it pass your AV/browser extensions blocks?

As after analyzing the email header, I also have deemed that these emails are being sent through some sort of "affiliate" of PayPal.

Allowing the link to progress does resolve to a legitimate page at PayPal.com, it does not take you to a spam/phishing website.

I am attaching an analysis from said header of the email thats has the embedded link that contains the domain epl.paypal-communications.com

https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=ef39fbf8-320c-4817-94b4-ca92caea1610

That PayPal seem to not want to assist those of us who have contacted them regards this and that we have shown we have all the tools that show us that there does seem to be some affiliation between PayPal and this domain, that the responses from support totally disregard this volume of information, I for one deem that something fishy is going on with PayPal and how they do not want to share this affliation they have with said domain.

Am unsure (I only became a member after becoming frustrated with not finding a definitive answer to this issue) if I can attach the link from the email, but here it is below.

https://epl.paypal-communication.com/T/v40000017178e33c1f8f07c66e96c660f0/d75240de57f64a790000021ef3a0bcc4/d75240de-57f6-4a79-bbc5-dba60daba60e?dU=v0G4RBKTXg2GtDSXU69hUjn5RqR7EEyYkx https://epl.paypal-communication.com/T/v40000017178e33c1f8f07c66e96c660f0/d75240de57f64a790000021ef3a0bcc5/d75240de-57f6-4a79-bbc5-dba60daba60e?dU=v0G4RBKTXg2GtDSXU69hUjn5RqR7EEyYkx

The first link will resolve to

https://www.paypal.com/cy/webapps/mpp/ua/upcoming-policies-full?utm_source=epsilon&utm_campaign=A_EP_EMEA_37204_B2C_B2B_Q1_2020_UA_Email_EMEA_REU_Rest_cy_en_US&utm_medium=email

And the second link will resolve to

https://www.paypal.com/cy/smarthelp/home?utm_source=epsilon&utm_campaign=A_EP_EMEA_37204_B2C_B2B_Q1_2020_UA_Email_EMEA_REU_Rest_cy_en_US&utm_medium=email

As others have posted, they seem to be 3rd party affiliates of PayPal.

That PayPal are in denial about this, well we are free to draw our own conclusions .....

Andreas Yianni
  • 31
  • 1
  • 4
    *"have any of you ever clicked on the link"* -> if there's a concern about security and trustworthiness of the email and sender, hopefully **not**! – Bruno Reis Jul 21 '20 at 21:43
  • 1
    Your mxtoolbox link is now dead. Please include the relevant details here in this answer instead of linking to temporary links to 3rd parties. – schroeder Aug 08 '20 at 15:00